Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: microchip: Don&amp;#39;t free uninitialized ksz_irq<br /> <br /> If something goes wrong at setup, ksz_irq_free() can be called on<br /> uninitialized ksz_irq (for example when ksz_ptp_irq_setup() fails). It<br /> leads to freeing uninitialized IRQ numbers and/or domains.<br /> <br /> Use dsa_switch_for_each_user_port_continue_reverse() in the error path<br /> to iterate only over the fully initialized ports.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> atm/fore200e: Fix possible data race in fore200e_open()<br /> <br /> Protect access to fore200e-&gt;available_cell_rate with rate_mtx lock in the<br /> error handling path of fore200e_open() to prevent a data race.<br /> <br /> The field fore200e-&gt;available_cell_rate is a shared resource used to track<br /> available bandwidth. It is concurrently accessed by fore200e_open(),<br /> fore200e_close(), and fore200e_change_qos().<br /> <br /> In fore200e_open(), the lock rate_mtx is correctly held when subtracting<br /> vcc-&gt;qos.txtp.max_pcr from available_cell_rate to reserve bandwidth.<br /> However, if the subsequent call to fore200e_activate_vcin() fails, the<br /> function restores the reserved bandwidth by adding back to<br /> available_cell_rate without holding the lock.<br /> <br /> This introduces a race condition because available_cell_rate is a global<br /> device resource shared across all VCCs. If the error path in<br /> fore200e_open() executes concurrently with operations like<br /> fore200e_close() or fore200e_change_qos() on other VCCs, a<br /> read-modify-write race occurs.<br /> <br /> Specifically, the error path reads the rate without the lock. If another<br /> CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in<br /> fore200e_close()) between this read and the subsequent write, the error<br /> path will overwrite the concurrent update with a stale value. This results<br /> in incorrect bandwidth accounting.

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in TechStore version 1.0. The user_name endpoint reflects the id query parameter directly into the HTML response without output encoding or sanitization, allowing execution of arbitrary JavaScript code in a victim’s browser.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> team: Move team device type change at the end of team_port_add<br /> <br /> Attempting to add a port device that is already up will expectedly fail,<br /> but not before modifying the team device header_ops.<br /> <br /> In the case of the syzbot reproducer the gre0 device is<br /> already in state UP when it attempts to add it as a<br /> port device of team0, this fails but before that<br /> header_ops-&gt;create of team0 is changed from eth_header to ipgre_header<br /> in the call to team_dev_type_check_change.<br /> <br /> Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense<br /> as the private data of the device still holds a struct team.<br /> <br /> Example sequence of iproute2 commands to reproduce the hang/BUG():<br /> ip link add dev team0 type team<br /> ip link add dev gre0 type gre<br /> ip link set dev gre0 up<br /> ip link set dev gre0 master team0<br /> ip link set dev team0 up<br /> ping -I team0 1.1.1.1<br /> <br /> Move team_dev_type_check_change down where all other checks have passed<br /> as it changes the dev type with no way to restore it in case<br /> one of the checks that follow it fail.<br /> <br /> Also make sure to preserve the origial mtu assignment:<br /> - If port_dev is not the same type as dev, dev takes mtu from port_dev<br /> - If port_dev is the same type as dev, port_dev takes mtu from dev<br /> <br /> This is done by adding a conditional before the call to dev_set_mtu<br /> to prevent it from assigning port_dev-&gt;mtu = dev-&gt;mtu and instead<br /> letting team_dev_type_check_change assign dev-&gt;mtu = port_dev-&gt;mtu.<br /> The conditional is needed because the patch moves the call to<br /> team_dev_type_check_change past dev_set_mtu.<br /> <br /> Testing:<br /> - team device driver in-tree selftests<br /> - Add/remove various devices as slaves of team device<br /> - syzbot

Rejected reason: This CVE id was assigned to an issue which was later deemed not security relevant.

Improper Neutralization of Input During Web Page Generation (XSS or &amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Hotech Software Inc. Otello allows Stored XSS.This issue affects Otello: from 2.4.0 before 2.4.4.

Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through

Missing Authorization vulnerability in Vikas Ratudi Chakra test chakra-test allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chakra test: from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor.This issue affects TheGem Theme Elements (for Elementor): from n/a through

Improper Control of Filename for Include/Require Statement in PHP Program (&amp;#39;PHP Remote File Inclusion&amp;#39;) vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor.This issue affects TheGem Theme Elements (for Elementor): from n/a through

Improper Neutralization of Special Elements used in an SQL Command (&amp;#39;SQL Injection&amp;#39;) vulnerability in Ruben Garcia AutomatorWP automatorwp allows SQL Injection.This issue affects AutomatorWP: from n/a through

Improper input validation at one of the endpoints of Eaton xComfort ECI&amp;#39;s <br /> <br /> web interface, could lead into an attacker with network access to the device executing privileged user commands. As cybersecurity<br /> standards continue to evolve and to meet our requirements today, Eaton has decided to discontinue the<br /> product. Upon retirement or end of support, there will be no new security updates, non-security<br /> updates, or paid assisted support options, or online technical content updates.